Showing posts with label escape html in rails. Show all posts
Showing posts with label escape html in rails. Show all posts

Thursday, May 13, 2010

Escaping HTML in Rails,sanitize method in rails

http://railspikes.com/2008/1/28/auto-escaping-html-with-rails
http://stackoverflow.com/questions/698700/escaping-html-in-rails

strip_tags(html)
Strips all HTML tags from the html, including comments. This uses the html-scanner tokenizer and so its HTML parsing ability is limited by that of html-scanner.

Examples

strip_tags("Strip these tags!")
  # => Strip these tags!

  strip_tags("Bold no more!  See more here...")
  # => Bold no more!  See more here...

  strip_tags("





Welcome to my website!
")
  # => Welcome to my website!
strip_links(html)   
Strips all link tags from text leaving just the link text. 


Examples
strip_links('Ruby on Rails')
  # => Ruby on Rails

  strip_links('Please e-mail me at me@email.com.')
  # => Please e-mail me at me@email.com.

  strip_links('Blog: Visit.')
  # => Blog: Visit
sanitize(html,  options = {})   
This sanitize helper will html encode all tags and strip all attributes that aren’t specifically allowed. It also strips href/src tags with invalid protocols, like javascript: especially. It does its  best to counter any tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters. Check out  the extensive test suite. 


<%= sanitize @article.body %>
You can add or remove tags/attributes if you want to customize it a bit. See ActionView::Base for full docs on the available options. You can add tags/attributes for single uses of sanitize by passing either the :attributes or :tags options: 

Normal Use 


<%= sanitize @article.body %>
Custom Use (only the mentioned tags and attributes are allowed, nothing else) 


<%= sanitize @article.body, :tags => %w(table tr td), :attributes => %w(id class style)
Add table tags to the default allowed tags 


Rails::Initializer.run do |config|
    config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
  end
Remove tags to the default allowed tags 


Rails::Initializer.run do |config|
    config.after_initialize do
      ActionView::Base.sanitized_allowed_tags.delete 'div'
    end
  end
Change allowed default attributes 


Rails::Initializer.run do |config|
    config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style'
  end
Please note that sanitizing user-provided text does not guarantee that  the resulting markup is valid (conforming to a document type) or even well-formed. The output may still contain e.g. unescaped ’<’, ’>’, ’&’ characters and confuse browsers. 










Posted by



at





No comments:
  

















Labels:
,
,
,
,























        

      









Subscribe to:
Posts (Atom)